Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 25d8bced authored by Florian Westphal's avatar Florian Westphal Committed by Pablo Neira Ayuso
Browse files

selftests: add script to stress-test nft packet path vs. control plane 



Start flood ping for each cpu while loading/flushing rulesets to make
sure we do not access already-free'd rules from nf_tables evaluation loop.

Also add this to TARGETS so 'make run_tests' in selftest dir runs it
automatically.

This would have caught the bug fixed in previous change
("netfilter: nf_tables: do not skip inactive chains during generation update")
sooner.

Signed-off-by: default avatarFlorian Westphal <fw@strlen.de>
Signed-off-by: default avatarPablo Neira Ayuso <pablo@netfilter.org>
parent 0fb39bbe

tools/testing/selftests/Makefile

+1 −0
Original line number Diff line number Diff line
@@ -24,6 +24,7 @@ TARGETS += memory-hotplug 
TARGETS += mount

TARGETS += mqueue

TARGETS += net

TARGETS += netfilter

TARGETS += nsfs

TARGETS += powerpc

TARGETS += proc

tools/testing/selftests/netfilter/Makefile

0 → 100644
+6 −0
Original line number Diff line number Diff line 
# SPDX-License-Identifier: GPL-2.0

# Makefile for netfilter selftests



TEST_PROGS := nft_trans_stress.sh



include ../lib.mk

tools/testing/selftests/netfilter/config

0 → 100644
+2 −0
Original line number Diff line number Diff line 
CONFIG_NET_NS=y

NF_TABLES_INET=y

tools/testing/selftests/netfilter/nft_trans_stress.sh

0 → 100755
+78 −0
Original line number Diff line number Diff line 
#!/bin/bash

#

# This test is for stress-testing the nf_tables config plane path vs.

# packet path processing: Make sure we never release rules that are

# still visible to other cpus.

#

# set -e



# Kselftest framework requirement - SKIP code is 4.

ksft_skip=4



testns=testns1

tables="foo bar baz quux"



nft --version > /dev/null 2>&1

if [ $? -ne 0 ];then

	echo "SKIP: Could not run test without nft tool"

	exit $ksft_skip

fi



ip -Version > /dev/null 2>&1

if [ $? -ne 0 ];then

	echo "SKIP: Could not run test without ip tool"

	exit $ksft_skip

fi



tmp=$(mktemp)



for table in $tables; do

	echo add table inet "$table" >> "$tmp"

	echo flush table inet "$table" >> "$tmp"



	echo "add chain inet $table INPUT { type filter hook input priority 0; }" >> "$tmp"

	echo "add chain inet $table OUTPUT { type filter hook output priority 0; }" >> "$tmp"

	for c in $(seq 1 400); do

		chain=$(printf "chain%03u" "$c")

		echo "add chain inet $table $chain" >> "$tmp"

	done



	for c in $(seq 1 400); do

		chain=$(printf "chain%03u" "$c")

		for BASE in INPUT OUTPUT; do

			echo "add rule inet $table $BASE counter jump $chain" >> "$tmp"

		done

		echo "add rule inet $table $chain counter return" >> "$tmp"

	done

done



ip netns add "$testns"

ip -netns "$testns" link set lo up



lscpu | grep ^CPU\(s\): | ( read cpu cpunum ;

cpunum=$((cpunum-1))

for i in $(seq 0 $cpunum);do

	mask=$(printf 0x%x $((1<<$i)))

        ip netns exec "$testns" taskset $mask ping -4 127.0.0.1 -fq > /dev/null &

        ip netns exec "$testns" taskset $mask ping -6 ::1 -fq > /dev/null &

done)



sleep 1



for i in $(seq 1 10) ; do ip netns exec "$testns" nft -f "$tmp" & done



for table in $tables;do

	randsleep=$((RANDOM%10))

	sleep $randsleep

	ip netns exec "$testns" nft delete table inet $table 2>/dev/null

done



randsleep=$((RANDOM%10))

sleep $randsleep



pkill -9 ping



wait



rm -f "$tmp"

ip netns del "$testns"